Re: GPO question
From: Clayton Sutton (none_at_none.com)
Date: 03/25/05
- Previous message: Paul Bergson: "Re: GPO question"
- In reply to: Paul Bergson: "Re: GPO question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Mar 2005 16:52:35 -0600
Thanks Paul for your reply but I just found the answer. Here it is, and it
worked great:
Upgrading Windows 2000 domains to Windows Server 2003 domains and
interaction with Group Policy Modeling.
Group Policy Modeling is a new feature of Windows Server 2003 that simulates
the resultant set of policy for a given configuration. The simulation is
performed by a service that runs on Windows Server 2003 domain controllers.
In order to perform the simulation in cross-domain scenarios, the service
must have read access to all GPOs in the forest.
In a Windows Server 2003 domain (whether it is upgraded from Windows 2000 or
installed as new), the Enterprise Domain Controllers group is automatically
given read access to all newly created GPOs. This ensures that the service
can read all GPOs in the forest.
However, if the domain was upgraded from Windows 2000, any existing GPOs
that were created before the upgrade do not have read access for the
Enterprise Domain Controllers group. When you click a GPO, GPMC detects this
situation and notifies the user that Enterprise Domain Controllers do not
have read access to all GPOs in this domain. To solve this problem, you can
use one of the sample scripts provided with GPMC,
GrantPermissionOnAllGPOs.wsf. This script can update the permissions for all
GPOs in the domain. To use this script:
1. Ensure that the person running this script is either a Domain Admin or
has permissions to modify security on all GPOs in the domain.
2. Open a command prompt and navigate to the %programfiles%\gpmc\scripts
folder by typing: CD /D %programfiles%\gpmc\scripts
3. Type the following: Cscript GrantPermissionOnAllGPOs.wsf "Enterprise
Domain Controllers" /Permission:Read /Domain:value
The value of domain parameter is the DNS name of the domain.
Clayton
"Paul Bergson" <pbergson@allete.com> wrote in message
news:OdAt9qYMFHA.2576@TK2MSFTNGP10.phx.gbl...
> Is the DFS service running? Without it replication and access of gpo's
> (sysvol isn't working) isn't available.
>
> --
>
> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "Clayton Sutton" <none@none.com> wrote in message
> news:uQcS6vWMFHA.3336@TK2MSFTNGP09.phx.gbl...
>> We just upgraded our DCs from w2k to w3k. My workstation is XP Pro sp2
> and
>> I am running the "Group Policy Management Consoel w/sp1. Everything was
>> working fine until after the Windows upgrade. Now I recevie the
>> following
>> msg. when I click on a GPO object:
>>
>> "The Enterprise Domain Controllers group does not have read access to
>> this
>> GPO. The Enterprise Domain Controllers group must have read access on
>> all
>> GPOs in the domain in order for Group Policy Modeling to function
> properly."
>>
>> Any ideas? Thanks for any and all help.
>>
>>
>> Clayton
>>
>>
>
>
- Previous message: Paul Bergson: "Re: GPO question"
- In reply to: Paul Bergson: "Re: GPO question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
